As the name implies, an application secret is anything about an application that its developer wants to keep secret, such as passwords, API keys, and digital certificates. Typically, these secrets are used for identity and access management (IAM), making protecting them a vital component of access control — particularly in cases where the application has access rights to business-critical services and systems.
For DevOps teams, the challenge of managing application secrets is particularly pertinent. To avoid slowing down the pace of application delivery, there is a tendency among some developers to store application secrets in the code. While this is often done for convenience, it is a serious mistake as it potentially exposes information that threat actors can use to escalate privileges and gain unauthorized access to systems and applications. Attempting to hide application secrets in configuration files or as environmental variables leaves application secrets susceptible to theft, complicates compliance efforts, and ultimately increases risk.
Managing application secrets effectively also improves efficiency. To empower automation, organizations need to support more communication between machine identities, all of which must authenticate to one another in a secure manner. Similarly, the growing adoption of containers has increased the number of application secrets in use by developers to support authentication. With more containers, the challenge of restricting the access rights of each container and governing the lifecycle of those privileges becomes more complex, and the potential for the number of secrets in use to sprawl out of control increases.
In response these problems, many choose to vault secrets away using secrets management solutions. Secrets management software programmatically manages secrets for human and machine identities through SDKs and APIs, orchestrating their creation, revocation, and storage. Trust is brokered so that secrets can be exchanged, ensuring only trusted applications and scripts can request privileged account credentials before retrieving passwords. These solutions also typically allow organizations to log and review recent activity related to stored secrets, such as when they were accessed or modified and by whom.